Bug#929755: gvfs: CVE-2019-12447 CVE-2019-12448 CVE-2019-12449
Salvatore Bonaccorso
carnil at debian.org
Thu May 30 15:00:04 BST 2019
Source: gvfs
Version: 1.38.1-3
Severity: important
Tags: security upstream
Control: found -1 1.30.4-1
Hi,
The following vulnerabilities were published for gvfs.
CVE-2019-12447[0]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid
| is not used.
CVE-2019-12448[1]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c has race conditions because the admin
| backend doesn't implement query_info_on_read/write.
CVE-2019-12449[2]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
| during move (and copy with G_FILE_COPY_ALL_METADATA) operations from
| admin:// to file:// URIs, because root privileges are unavailable.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12447
[1] https://security-tracker.debian.org/tracker/CVE-2019-12448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12448
[2] https://security-tracker.debian.org/tracker/CVE-2019-12449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449
Please adjust the affected versions in the BTS as needed, please do
though check (all versions in Debian should be affected).
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list